Skip to content

@Bean of AuthenticationManager from WebSecurityConfigurerAdapter throws either StackOverflowError or OutOfMemoryError #10477

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
matheusg-morillo opened this issue Nov 6, 2021 · 3 comments
Closed

@Bean of AuthenticationManager from WebSecurityConfigurerAdapter throws either StackOverflowError or OutOfMemoryError #10477

matheusg-morillo opened this issue Nov 6, 2021 · 3 comments
Assignees
@sjohnr
Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: bug A general bug

Comments

@matheusg-morillo
Copy link

Describe the bug
I'm overriding the authenticationManager method from the WebSecurityConfigurerAdapter in order to create its bean, howerver whenever I try to turn the spring context up (in a test annotated with a @SpringBootTest for example), I get either a StackOverflowError or OutOfMemoryError. I tracked this error to the authenticationManager method, because whenever I remove the @bean annotation the error disappears.

I'm using gradle, Java 11 and spring-boot-starter-security version 2.5.6

To Reproduce

  1. Override the authenticationManager from the WebSecurityConfigurerAdapter class and add a Bean annotation
  2. Try to run a test annotated with SpringBootTest
@EnableWebSecurity
@Configuration
public class SecurityConfigurations extends WebSecurityConfigurerAdapter {

    @Bean
    @Override
    protected AuthenticationManager authenticationManager() throws Exception {
        return super.authenticationManager();
    }
    ...

Expected behavior
Being able to run the app and inject the authenticationManager bean

Sample
https://github.com/mmorillodev/stackoverflow-error-sample
@matheusg-morillo matheusg-morillo added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 6, 2021
@sjohnr
Copy link
Member

sjohnr commented Nov 9, 2021

@mmorillodev, thanks for the report and sample.

I don't believe overriding authenticationManager() is the correct thing to do. Using your sample, I was able to override authenticationManagerBean() instead. However, it will yield a different error:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authenticationManagerBean' defined in class path resource [com/stackoverflow/playground/config/SecurityConfiguration.class]: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.authentication.AuthenticationManager]: Factory method 'authenticationManagerBean' threw exception; nested exception is org.springframework.beans.FatalBeanException: A dependency cycle was detected when trying to resolve the AuthenticationManager. Please ensure you have configured authentication.

See this comment for some workarounds.

Since we are currently moving away from WebSecurityConfigurerAdapter, the workarounds above are likely your best bet. I'm going to close this issue as a duplicate of #8369. Let me know if you're still having issues after trying the workaround and we can re-open if needed.

@sjohnr sjohnr closed this as completed Nov 9, 2021
@sjohnr sjohnr self-assigned this Nov 9, 2021
@sjohnr sjohnr added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Nov 9, 2021
@sjohnr sjohnr added in: core An issue in spring-security-core type: bug A general bug labels Jan 31, 2022
@wigiwee
Copy link

wigiwee commented Sep 21, 2024

this might work

@Bean
public AuthenticationManager authenticationManager(
        AuthenticationManagerBuilder authenticationManagerBuilder) {
    return authenticationManagerBuilder.getOrBuild();
}

@rwinch
Copy link
Member

rwinch commented Sep 23, 2024

To elaborate on what @sjohnr said WebSecurityConfigurerAdapter was removed in Spring Security 6.0.0-RC1 in gh-10902 so this will not happen on supported versions of Spring Security.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sjohnr sjohnr

Labels
in: core An issue in spring-security-core status: duplicate A duplicate of another issue type: bug A general bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rwinch @sjohnr @matheusg-morillo @wigiwee